我浏览了很多与此主题相关的文章,例如:
Using PHP 5.5's password_hash and password_verify function
然而,我不确定我是否正在以正确的方式进行散打和腌制!或者
我想用自己的盐然后哈希。 salt和散列密码都存储在数据库的两个不同字段中。
这是我在存储到数据库
之前对密码进行散列的方式$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2a$%02d$", $cost) . $salt;
//shall I remove this line and replace below PASSWORD_DEFAULT with PASSWORD_BCRYPT instead?
$password = crypt($data['password'], $salt);
$hash = password_hash($password, PASSWORD_DEFAULT);
鉴于此,我尝试验证密码如下:不知何故,我觉得我让这个过程变得复杂。
$salt=$row['salt'];//taken from db
$hashAndSalt=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password
$newpassword = crypt($password, $salt);
$newhash = password_hash($newpassword, PASSWORD_DEFAULT);
if (password_verify($password, $newhash)) {
echo"verified";
}
else
{
echo"Not verified";
}
编辑:
现在我这样存储:
$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$options = array('cost' => $cost,'salt' => $salt);
$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);
但验证令人困惑:
$email = "test55@gmail.com";
$uid= '555ca83664caf';
$sql = "SELECT *FROM authsessions WHERE email =:myemail AND useruuid =:uid";
$statement = $pdo->prepare($sql);
$statement->bindValue(':myemail', $email);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
echo "salt ".$row['salt']."<br/><br/>";
echo "hashpassword ".$row['hashpword'];
}
$salt=$row['salt'];
$hashAndSalt=$row['hashpword'];
$password="test55";
$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);
if (password_verify($newhash, $hashAndSalt)) {
echo"verified";
}
else
{
echo"Not verified";
}
它回应&#34;未验证&#34;
答案 0 :(得分:6)
函数password_hash()只是一个包装器,在内部生成一个加密安全的salt,然后调用crypt()函数来计算BCrypt哈希。
所以没有理由自己做同样的步骤(不要调用crypt()并且不生成盐)。建议不要生成自己的salt,因为你不能比password_hash函数做得更好。此外,没有理由将salt存储在单独的db列中,它已经是生成的哈希值的一部分。
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
答案 1 :(得分:4)
这将正确验证,因为它应该。
//on creating an account, a user enters a password!
$password="pwtester";//user keyed in password
$newhash = password_hash($password, PASSWORD_DEFAULT);
//#newhash now has the only value that you need to store in the db
//you do not need any more than this value, that you retrieve when you
//want to verify your password!
//this part is only done to verify passwords!
if (password_verify($password, $newhash)) {
echo"verified";
}
else
{
echo"Not verified";
}
所以,只要你已经在db
中存储了哈希$newhash=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password
if (password_verify($password, $newhash)) {
echo"verified";
}
else
{
echo"Not verified";
}
应该工作!
答案 2 :(得分:1)
密码存储:
$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$options = array('cost' => $cost,'salt' => $salt);
$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);
密码验证:
<?php
include('config.php');
$email = "test55@gmail.com";
$uid= '555cb0a63f08d';
$sql = "SELECT *FROM authsessions WHERE useruuid =:uid";
$statement = $pdo->prepare($sql);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
echo "salt ".$salt=$row['salt']."<br/><br/>";
echo "hashpassword ".$hashAndSalt=$row['hashpword'];
echo"<br/>";
}
$password="nony";
//$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);
if (password_verify($password, $hashAndSalt)) {
echo"verified";
}
else
{
echo"Not verified";
}
?>
答案 3 :(得分:0)
您将密码哈希2次。 保留crypt功能,你应该没问题。
只需查看有关password_verify和password_hash的PHP文档。
只需使用password_hash()保存密码即可。应该将哈希存储在数据库中。
要验证,您只需将hash与用户输入与password_verify进行比较。 Password_verify将为您完成剩余的工作:)